WPScan: Unauthenticated File Upload Vulnerability Addressed in Royal Elementor Addons and Templates 1.3.79

During an investigation of a series of website being actively compromised we noticed the constant presence of the Royal Elementor Addons and Templates plugin installed. And all sites had at least one malicious file dropped into the /wpr‑addons/forms/ directory.

As we reviewed the plugin it was found that the upload ajax action wasn’t properly validating the uploaded file’s extensions, allowing bad actors to bypass the check and drop malicious files to the /wpr‑addons/forms/ directory.

Upon identifying the vulnerability, we promptly alerted the plugin development team, who released version 1.3.79 to fix the issue. It is crucial for administrators to ensure their WordPress installations are fully updated to safeguard against this vulnerability.

More on the WPScan blog...

#infosec #wordpress #wpscan

WPScan: Finding A RCE Gadget Chain In WordPress Core

During a recent team gathering in Belgium, we had an impromptu Capture The Flag game that included a challenge with an SQL Injection vulnerability occurring inside an INSERT statement, meaning attackers could inject random stuff into the targeted table’s columns, and query information from the database, the intended “flag” being the credentials of a user on the affected blog.

The vulnerable SQL query inserted new rows into the wp_termmeta table, which while we knew it could potentially lead to Object Injection attacks due to the inserted metadata being passed through maybe_unserialize upon retrieval, we didn’t think too much about it since the common thought on the matter was that there was no known current RCE gadget chain in WordPress Core, and thus the challenge was “safe” since it didn’t use any other external plugins.

This proved to be enough to win that flag, however, the thought that there might be an alternative solution to the challenge piqued our curiosity. What if there was a working RCE gadget chain in Core waiting to be found?

Turns out, there was a way, which the WordPress Security Team fixed on version 6.3.2 by preventing several classes used in the final chain from either being unserialized at all, or restricting what some of their unserialized properties may contain.

More on the WPScan blog...

#infosec #wordpress #wpscan

WPScan: Email Leak Oracle Vulnerability Addressed in WordPress 6.3.2

During a thorough analysis of WordPress’ internals, we discovered a subtle bug that allowed unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website.

If successfully exploited, attackers could gather email addresses, putting user privacy at risk.

Upon identifying the vulnerability, we promptly alerted the WordPress team, who released version 6.3.2 to fix the issue. It is crucial for administrators to ensure their WordPress installations are fully updated to safeguard against this vulnerability.

More at the WPScan blog...

#infosec #wordpress #wpscan

Hacking Campaign Actively Exploiting Ultimate Member Plugin - WPScan WordPress Security

Recently, Automattic’s WP.cloud and Pressable.com platforms identified a trend in compromised sites, where rogue new administrator accounts kept appearing in the affected sites. After some investigation, we witnessed a post on the WordPress.org support forums by Slavic Dragovtev discussing a potential security issue, specifically a Privilege Escalation vulnerability, with the Ultimate Member plugin (200,000+ active installs). Worryingly, there were indications that this issue was being actively exploited by malicious actors.

In response to the vulnerability report, the creators of the plugin promptly released a new version, 2.6.4, intending to fix the problem. However, upon investigating this update, we found numerous methods to circumvent the proposed patch, implying the issue is still fully exploitable.

This is a nasty one! If you have a WordPress site with the Ultimate Member plugin installed, disable it immediately until the fix in version 2.6.7 has been confirmed.

#WordPress #WPScan #infosec #security #privesc